By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

of those in the industry is to look at them through the prism of security and accountability. That is, which part of the company's defense system failed and who is to blame? Once the "what" portion of this question is answered, we can then move on to the "who" part, assign some blame and move on to the next attack.

But looking at the Hannaford incident from a different angle reveals that in this case it's not necessarily a technology or a person, but an industry-wide mindset that's at fault here. The decline in emphasis on security in favor of a sometimes maniacal focus on compliance with various standards and regulations has created a climate in which passing an audit or satisfying a regulator is deemed more important than actually doing what's necessary to protect critical assets. This, as we're seeing on a daily basis now, is a dangerous situation, and it's a problem that must be addressed within each individual organization if it's to be solved.

Already we are seeing cases in which companies hit by data thefts are using compliance with one standard or another as a shield against culpability and potential liability in court. Many of the stories about the Hannaford breach have mentioned that the company has been certified as compliant with the PCI DSS standard, a fact that Hannaford itself trumpets in its online privacy policy statement. Any attorney worth his salt will make that compliance Exhibit A in a defense of the company against lawsuits from consumers. It's an easy way of saying, Hey, we did everything we could to protect your data. We met the standard implemented by the credit-card companies themselves. What else could we do?

And for consumers not familiar with such standards and what they actually require, that will be enough in many cases for them to cut Hannaford a break. But the reality is that compliance is by no means synonymous with security. Compliance with PCI, HIPAA, Sarbanes-Oxley or any other regulation simply means that at the time of the most recent audit, the organization met the guidelines set out in the regulation. It does not mean that the organization monitors its compliance with those rules on a continuous basis. It is simply a snapshot of the company's state at one moment in time.

About Behind the Firewall:

In his column, Executive Editor Dennis Fisher sounds off on the latest issues affecting the information security community.

In order for compliance to translate into true security, companies must take to heart the painful experience known as continuous process improvement and constantly work to do things better. That's the way things work in the overwhelming majority of companies dealing with the ever-increasing regulatory burden placed on IT staffs these days. People work hard to do what's necessary to protect their companies' networks and customers while also having to satisfy the checkbox nature of many of these regulations and standards. Sometimes those two requirements mesh. But just as often they don't, and more's the pity it's leading us all down dead-end road.

No one would argue that PCI, SOX et al haven't done some good things for corporate America; certainly they have. But that's almost beside the point now, because in some cases those benefits are outweighed by the enormous amount of time and effort security staffs have to spend on compliance, often at the expense of other projects. We're now beginning to see the results of that compromise, and it's not a pretty picture.

The situation is likely to get worse before it gets better, however. Given the economic climate right now and the upcoming administration transition in Washington, more regulation seems likely as the new president looks to put his (or her) legislative agenda in place and make a mark. And, if the data breaches continue, which of course they will, you can bank on some kind of national disclosure law, as well as more federal regulations for organizations that handle personal information.

How's that for irony? We legislated our way into this mess and we'll probably try to legislate our way out, too.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy